Wednesday, November 13, 2013

Security's weakest link: Technology no match for social engineering

A security researcher says there is a 100-percent success rate any time pen-testing uses social engineering to target victims. Here are some of the techniques used.

Many of us in the security industry feel that the last couple of months have been a very busy time, centered primarily around the technological means that the NSA, along with other government agencies, are using to break security, get into our private networks, and read our data. We've also covered how criminals and other bad guys can harness that same technology to accomplish basically the same thing, but with a much more mundane goal  typically to make money on the back of our own users. However, it's important to remember that most break-ins historically, and many still to this day, have nothing to do with technology. In fact they are carried out by people who rely primarily on the human factor, not devious code or malware creation. This is what the Social Engineer Capture the Flag contest is all about, and now the report about the latest version, which was held at DEF CON 21, has just been released.

The contest itself is organized by Social-Engineer Inc, a team sponsored by many security groups, and which hosts this event at the security conference every year. This year, 198 people and groups of social hackers entered the contest, and the selection team picked 10 men and 10 women to test their skills against real Fortune 500 companies, including popular brands like Apple, Boeing, Exxon, Walt Disney, and more, to see if they could get in by using social engineering. The goal of these events is to raise awareness of the threat of social engineering against our security, a threat that many organizations have a hard time understanding. Providing a budget for a new firewall or IDS is something that can easily be quantified, but putting hard numbers on social threats is much harder.

Social engineering techniques

The goal of the people entering the contest is to gain access to flags, or specific pieces of information, inside of these particular companies. The 20 contestants were randomly assigned companies, with one male and one female social engineer per target. The EFF provided a legal advisory for how far the contest could be pushed. Each contestant had two weeks to gain intelligence on their target company, and could only use Open Source Information (OSI) through popular sources like Google, Facebook, Twitter, LinkedIn, etc. During DEF CON 21 at Las Vegas, the contestants then had a short period to do live calls to the target company.

Various techniques could be used including Caller ID Spoofing, and a panel of judges decided the scoring. Points were given to contestants who could gain a variety of information, like whether IT is being sourced in-house or elsewhere, whether the company uses wireless networks, what browser and other software programs are being used, trying to get one of their employees to go to a target URL, and so on. Some of the results were expected, and others gave an insight as to what social engineers would use to gain what they are after. Here is a table of sites used by the contestants during the information gathering phase according to the report:
Pretexting is another common tactic that was heavily used, where contestants would impersonate a corporate employee to gain additional information. In 65% of cases, the pretext employed was an employee, in 10% of cases a student, 10% a survey, 10% a vendor, and 5% a job seeker. While both male and women contestants scored fairly closely during the information gathering phase, the report shows that women had a much easier time gaining the advantage during live calls.

Operation "Facebook hottie"

To further illustrate the validity of these findings, a research team at RSA Europe just presented their own doozy of a penetration-testing experiment that successfully socially-engineered an unnamed US government agency into handing over the "crown jewels" of its network. ZDNet's Violet Blue describes the path the researchers took: by using fake social media accounts and emails from an attractive young woman posing as a new employee, members of the agency were fooled into all sorts of lapses, including:
  • Opening a malicious holiday card link that helped the pen-testers to "gain administrative rights, obtain passwords, install applications and [steal] documents with sensitive information - some of which, according to the hackers, included information about state-sponsored attacks and country leaders"
  • Bypassing the usual controls for issuing a company laptop and access to the network
Researcher Aamir Lakhani had the chilling quote to sum it all up: "Every time we include social engineering in our penetration tests we have a hundred percent success rate."

The weakest link

In the end, what these experiments demonstrate is that social engineering is still a major threat today. Even in the controlled environment of pen-testing agreements, the DEF CON contestants and RSA research team members managed to gain access to most of the information that they needed. This includes the huge amount of private information that can be gathered from simple web queries. The winner of the DEF CON contest was not even a professional social engineer and scored most of her points through extensive information gathering.

The report goes on to talk about some of the steps organizations can take to mitigate this problem. First, information handling is critical. Too often, private information ends up on publicly available servers, even social networks. Consistent, real world education is an important mitigation factor, and so is regular penetration testing.
Would your users and employees be duped by these exploits? Is there a balance to be found between instilling the right amount of paranoia into users and not having daily routines grind to a halt?